Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1839852pxb;
        Fri, 24 Sep 2021 13:13:05 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw6ZNZgJ4MLo2ayCygdoPY0sz4DBT+YZ2dbR4vjatz9FryFJ/TbDQmnej5xe9py1lHBSoTK
X-Received: by 2002:a17:906:8151:: with SMTP id z17mr13036352ejw.468.1632514385006;
        Fri, 24 Sep 2021 13:13:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1632514384; cv=none;
        d=google.com; s=arc-20160816;
        b=wrvnoidL4qu6ylCffxYvJG4BzXf4yRYgs4knBw4t/S9a61W9AG3N2fOIkbZAdTU3Ej
         zF9GCR/dB4mEfqz7BPXvk/uYvHiKkI3BKG87OI/ejKrIf5iL0I8fYUtIrq7ncBv8U0F4
         VnqpsvoHymDPEOahtUYvpfEEFpFrOLPXir3JJ8WjwkYytqMUYvGrxe+A3K2vzxL9R4R/
         xk9K7dc234OheVoYSQpNz63LDPQahuyAB+YMddAqUrHGxHzMVoCbvWthwBhnsbOQX4fK
         iGAiZmFyzbCDidgxcH2ZowDPdXCrH5DW5G/ORvMUvl6ICW6s8x75BaA+Sf8uZafQkEce
         JBXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=G7h94MVIx1ZabUxByMvTQP9CsH3DODBACggwAGQOb7c=;
        b=dkX7GCa4x3wQ3iaSvz5hRY/VLwZoNOepuV/fpIQQHGiPO2572CA8a/cVbqCK72SIkN
         z+yQlL2A+SoPK/M8t88g9f9qZwN86LQAU1QdVNHg/PIYyFtwY+KRnzNtB55olPU99rYQ
         Dz9Id37Sg39r3cXwATKoCCSMdJVNNK50ODCrZD2zwDf7dx2afiYnrwcTh5NoBoZ8wbnw
         6T+QxV0EwyvgnCSoWYV1fGjl+BL5NOBMzqpY6zAsdi7EFlbcam10S/wnEXyYtoMTA7lQ
         L0ioAmr25likJrc9WUMiXRcWmXYTCx1Qj7E0VzGuyCY8uFSFl5MmogoAS9f6d0PHF4qz
         ldTA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mvmgdwkg;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s11si1240019edh.30.2021.09.24.13.12.40;
        Fri, 24 Sep 2021 13:13:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mvmgdwkg;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344643AbhIXNLJ (ORCPT <rfc822;lnx4us@gmail.com> + 99 others);
        Fri, 24 Sep 2021 09:11:09 -0400
Received: from mail.kernel.org ([198.145.29.99]:38844 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1346850AbhIXNIM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 24 Sep 2021 09:08:12 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id BB8A561501;
        Fri, 24 Sep 2021 12:57:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1632488232;
        bh=sCfloG5AdQTwhFh5cexuHdptoHrPbnwu1TRvesdMNlw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=mvmgdwkg0LZTyGV5TVk8rybMp6eG4UGcYrUaFkUiVCIfOn2sxgXxoZxxq7Y7Dj/by
         lYExZ3AiRETYaPdgH45qvnj8+qCJNZhr+UXeDYLFwJFqeFnEbNA176A5uCcVfbmKA1
         Es0vKKsHTCOeQpIgBhN5eGD6jWfgn7s5Tkv19a/w=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Niklas Schnelle <schnelle@linux.ibm.com>,
        "Liam R. Howlett" <Liam.Howlett@oracle.com>,
        David Hildenbrand <david@redhat.com>,
        Vasily Gorbik <gor@linux.ibm.com>
Subject: [PATCH 5.10 04/63] s390/pci_mmio: fully validate the VMA before calling follow_pte()
Date:   Fri, 24 Sep 2021 14:44:04 +0200
Message-Id: <20210924124334.381661941@linuxfoundation.org>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20210924124334.228235870@linuxfoundation.org>
References: <20210924124334.228235870@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: David Hildenbrand <david@redhat.com>

commit a8b92b8c1eac8d655a97b1e90f4d83c25d9b9a18 upstream.

We should not walk/touch page tables outside of VMA boundaries when
holding only the mmap sem in read mode. Evil user space can modify the
VMA layout just before this function runs and e.g., trigger races with
page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
with read mmap_sem in munmap").

find_vma() does not check if the address is >= the VMA start address;
use vma_lookup() instead.

Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/s390/pci/pci_mmio.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/s390/pci/pci_mmio.c
+++ b/arch/s390/pci/pci_mmio.c
@@ -128,7 +128,7 @@ static long get_pfn(unsigned long user_a
 	mmap_read_lock(current->mm);
 	ret = -EINVAL;
 	vma = find_vma(current->mm, user_addr);
-	if (!vma)
+	if (!vma || user_addr < vma->vm_start)
 		goto out;
 	ret = -EACCES;
 	if (!(vma->vm_flags & access))